From owner-freebsd-current@FreeBSD.ORG Wed Apr 2 15:22:39 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20C10BED for ; Wed, 2 Apr 2014 15:22:39 +0000 (UTC) Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CA430E40 for ; Wed, 2 Apr 2014 15:22:38 +0000 (UTC) Received: by mail-qg0-f48.google.com with SMTP id j107so350203qga.21 for ; Wed, 02 Apr 2014 08:22:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=AKCZPZPb2vrfEyqvFjcg+PCpXDSEEt5wQwMvgCrdqbA=; b=cEGk5D/qV3f+pkm+T5x5fnJ+RvnISLCUq8mxujOFhN4TL+I+fIEAtSlYs3tlD5llCE LXy6CzH0tM4ENtOS76SLKWJbpXtPTU1ApPw0JlV16rFIGfd9t0ZAK93i4xeEsrn6eZVb fgDFQSC5UO4BqGyKo28o34WcgnpZcFhDnRvhB+YXTBYA83+bWxnlq63vx1j2kmOwpRLV M5l97YsvGvX7Yh5/wAqvvXlt9RxovDQKvoxN0+OgDuc306wkVC5qfSSGRHFItY4Ge8S5 /tNoDwZUD7ultWHZdErGi3vaEyoB9ZyD0Iw7UDXyiN4Y6NxBQJEk4qP6RaQaELXIrKOl Qwow== X-Received: by 10.140.89.234 with SMTP id v97mr1408858qgd.20.1396452157804; Wed, 02 Apr 2014 08:22:37 -0700 (PDT) Received: from pwnie.vrt.sourcefire.com (moist.vrt.sourcefire.com. [198.148.79.134]) by mx.google.com with ESMTPSA id f2sm4377018qaa.28.2014.04.02.08.22.35 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Apr 2014 08:22:36 -0700 (PDT) Date: Wed, 2 Apr 2014 11:22:32 -0400 From: Shawn Webb To: Oliver Pinter Subject: Re: [CFT] ASLR and PIE on amd64 Message-ID: <20140402152232.GF20907@pwnie.vrt.sourcefire.com> References: <20140331002436.GB14025@pwnie.vrt.sourcefire.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nYySOmuH/HDX6pKp" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD-current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 15:22:39 -0000 --nYySOmuH/HDX6pKp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Apr 02, 2014 04:54 PM +0200, Oliver Pinter wrote: > On 4/2/14, Oliver Pinter wrote: > > On 3/31/14, Shawn Webb wrote: > >> On Mar 31, 2014 02:07 AM +0200, Oliver Pinter wrote: > >>> On 3/22/14, Shawn Webb wrote: > >>> > Hey All, > >>> > > >>> > First off, I hope that even as a non-committer, it's okay that I po= st > >>> > a call for testing. If not, please excuse my newbishness in this > >>> > process. This is my first time submitting a major patch upstream to > >>> > FreeBSD. > >>> > > >>> > Over the past few months, I've had the opportunity and pleasure to > >>> > enhance existing patches to FreeBSD that implement a common exploit > >>> > mitigation technology called Address Space Layout Randomization (AS= LR) > >>> > along with support for Position Independent Executables (PIE). > >>> > ASLR+PIE has been a long-requested feature by many people I've met = on > >>> > IRC. > >>> > > >>> > I've submitted my patch to PR kernel/181497. I'm currently in the > >>> > process of adding PIE support to certain high-visibility applicatio= ns > >>> > in base (mainly network daemons). I've added a make.conf knob that's > >>> > default to enabled (WITH_PIE=3D1). An application has to also expli= citly > >>> > support PIE as well by defining CAN_PIE in the Makefile prior to > >>> > including bsd.prog.mk. After I get a decent amount of applications > >>> > enabled with PIE support, I'll submit one last patch. > >>> > > >>> > The following sysctl's can be set with a kernel compiled with the > >>> > PAX_ASLR option: > >>> > > >>> > security.pax.aslr.status: 1 > >>> > security.pax.aslr.debug: 0 > >>> > security.pax.aslr.mmap_len: 16 > >>> > security.pax.aslr.stack_len: 12 > >>> > security.pax.aslr.exec_len: 12 > >>> > > >>> > The security.pax.aslr.status sysctl enables and disables the ASLR > >>> > system as a whole. The debug sysctl gives debugging output. The > >>> > mmap_len sysctl tells the ASLR system how many bits to randomize wi= th > >>> > mmap() is called. The stack_len sysctl tells the ASLR system how ma= ny > >>> > bits to randomize in the stack. The exec_len sysctl tells the ASLR > >>> > system how many bits to randomize the execbase (this controls PIE). > >>> > These sysctls can be set as a per-jail basis. If you have an > >>> > application which doesn't support ASLR, yet you want ASLR enabled f= or > >>> > everything else, you can simply place that misbehaving application = in > >>> > a jail with only that jail's ASLR settings turned off. > >>> > > >>> > Please let me know how your testing goes. I'm giving a presentation= at > >>> > BSDCan regarding this. > >>> > > >>> > If you want to keep tabs on my bleeding-edge development process, > >>> > please follow my progress on GitHub: > >>> > https://github.com/lattera/freebsd (branch: soldierx/lattera/aslr). > >>> > > >>> > Thank you very much, > >>> > >>> Hi! > >>> > >>> Please apply this patch. This fixed an issue with tunables. > >> > >> Patch merged successfully into my GitHub repo. Fixed with commit > >> d2c0813. I'll include it in my next patch submission upstream when I > >> submit my PIE work. Thanks! > > > > please see the attached patch, compile and boot tested on amd64 >=20 >=20 > Some more patches, and one critical fix > (0006-PAX-ASLR-use-the-right-sysent-before-this-commit-cal.patch). You are awesome. I'll integrate those patches today. In reviewing your patches, I noticed a few places where I'm keying off the local pax_aslr_debug variable. I ought to switch that to keying off the jail's pr_pax_aslr_debug variable. --nYySOmuH/HDX6pKp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTPCs4AAoJEGqEZY9SRW7uuywP/Rfmo7sBoJil2wVXCKKVCB5r NhvnQ3FKItUqj3S1iz/VJFEPo69CyfQedaQSut1i59faznEWF4kul7yUlHFcacjq bulg3ES91ZnbBSQuU8gNwNX4MQYAgamfRltIlGppNhLJqOTfuu2SfTEIbWS4lAKa +AjxPKs2IFbMmHTUDj/8siMISk3mGhePM2S8iZOiGsY6emBjMkOGMPghjI2B+Vsf oW6wtV2zhFcVlPLJFhaCX5dKL0pG3OxLLpFglsvmj0qcvQ19VnTylC/9GuP8D7ts /bxXtU25KZCVLetpS4SJd13axFUdQaauWMMM0WqaiNFA2a0SLO7xoyMC5/wb0V53 PaB+LqwTIIQ+HoxVfs55+d6kG/vvBMGird9E5ldRSD/MioDx4Ngnv6dWLZIFgdui NxBaPmtiFZuXZIkN4UmwYm8eIQW4fptS4jKylHH4pC0obYZU4SN/Uqr6BbNZKGKp 6lDjFD5FtF8XQigrmlrFbu+vjQqbG9gaNiO4pSO5mtZ9s2rjD+/UZfpv8dVxrsne NkezaRxwLvh1Kdc7sCSyKFEFVEMbe69Wf2Y9NGq0rJlddGVhwf2Iwp+QJHSzSAaq +HXfdJTj1ZKbqwqvuevW9nTUjZ5WdGHGE6LqnVM2Qj+JUaXRiVhjzvJj38KVBZHT 59O63scsVvsRqwRM2rOa =heSp -----END PGP SIGNATURE----- --nYySOmuH/HDX6pKp--